Expansion of DHS Continuous Diagnostics Program Considered

The U.S. Department of Homeland Security's building in Washington (Source: Wikipedia/CC)

Bills now being considered in the Congress would make the Department of Homeland Security's Continuous Diagnostics and Mitigation Program available to all federal agencies and provide services to state and local governments to help them address cybersecurity challenges.

When DHS first introduced the program in 2013, some agencies, such as the U.S. Department of Defense, and the intelligence community joined to help develop its capabilities, but the program was not widely deployed across the federal government (see: Federal Agencies Rush to Inventory Key IT Assets).

Current Status of Program

The Department of Homeland Security now makes the Continuous Diagnostics and Mitigation Program available to certain federal government agencies as well as the military, and many of these departments are currently implementing various phases of the program, according to a 2018 report from the U.S. General Accountability Office.

The program uses a series of sensors and tools to paint a more accurate picture of an agency's critical hardware and software assets. That data is then fed back to the Department of Homeland Security, which then helps create dashboards and reports to ensure that the agency is following proper cybersecurity practices, such as making sure that employees and contractors use appropriately secure methods to access federal systems.

The CDM program can also send alerts about vulnerable systems that need repair or patching, according to DHS.

Under the proposed bills, the CDM program would be expanded to all federal agencies, plus state and local governments would gain access to various tools and reports that Homeland Security would oversee and produce.

Any agency using CDM would need to create policies for reporting cybersecurity incidents and also submit reports for keeping the program up to date with the threat landscape, the bills propose.

The proposed bills do not describe how the expanded program would be funded.

"As cyber threats continue to increase in frequency and complexity, we must constantly work to enhance our nation's cyber defense capabilities," Ratcliffe says.

Khanna notes: "The technology is there: We just have to ensure our agencies have the necessary tools to defend against hackers and cyber threats. A strong CDM program will be instrumental in that effort."

A Reactive Approach?

Some security researchers contend that the proposal is a reactive approach to countering the increase of cyberattacks that does little to address the present security concerns.

"Anything the government does, such as the proposed bill, is a reactive approach to cyberattacks and threats," Joseph Carson, chief security scientist at security firm Thycotic, tells Information Security Media Group. "They do not necessarily improve cybersecurity nor reduce the threats. However, the purpose is to ensure that the victims of cyberattacks have the sufficient tools needed to respond and reduce the impact."

The weakness of cybersecurity practices within the IT systems of local governments have made them susceptible to attacks, some security experts say.

The latest example of threats to local governments came this week when the mayor of New Bedford, Massachusetts, held a press conference to describe why the city did not pay a ransom after it fell victim to a ransomware attack (see: A Ransomware Tale: Mayor Describes City's Decisions).

About the Author

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked at Analytics India Magazine, The New Indian Express and IDG, where she reported on developments in technology and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;